Thanks The info helps. Starting to get a picture.
Bret
Gustav Schaffter wrote:
>
> Bret,
>
> I was logging my DENY'ed incoming calls to auth. I noticed that my
> external pop3 server always asked me for auth. I also noticed that many
> (but not all) file downloads with both http and ftp protocol, when
> started from NetScape, called my auth server. This normally gave me
> about 30 seconds of delay before the downloading of pop3 mail or
> http/ftp transfer of files began. I have so far never suffered from
> being refused any service on the net because of DENY'ing auth calls.
>
> I have later learnt that it might be smarter to REJECT calls to auth
> than DENY'ing them. Should reduce number of retries and thereby shorten
> any timeouts.
>
> For the time being I'm ALLOW'ing the auth calls. Might go for REJECT
> later on, though.
>
> One advantage with running auth from tcp wrappers is of course that it's
> somewhat protected(?). I mean, the standard setup for port sentry is to
> add any port scanning IP's to the tcp wrappers hosts.deny file.
>
> I guess unless you're having a very high volume of calls for auth, the
> performance penalty is not high enough to get worried about.
>
> Best regards
> Gustav
>
> Bret Hughes wrote:
> >
> > I too have been wondering about this.
> >
> > Seems like it would be a tad faster to have it running standalone. It
> > will also use some resources all the time as opposed to inetd starting
> > it, sending it the query and letting it shut down. At least if my
> > understanding of inetd is correct. I don't know what the frequency of
> > calls to auth would have to be before the overhead of starting and
> > stoping it becomes a greater load than having it running all the time.
> >
> > Is there any logging or other security features gained from using inetd
> > with auth?
> >
> > Since I have been lurking I have been wondering which processes use
> > auth? Surely not every connection sends an auth request, but I don't
> > know in the real world even how often it is used. What would happen if
> > it was not running?
> >
> > Bret
> >
> > Charles Galpin wrote:
> > >
> > > Thanks Gordon!
> > >
> > > Boy, right in front of my nose too. I knew it was going to be an easy
> > > fix.
> > >
> > > However, two things.
> > >
> > > 1. Like Gustav, I would like to know which is better
> > > 2. I did not have identd selected in ntsysv, and am quite sure I didn't
> > > start it mayself. So how did it get started? I'm thinking linuxconf is
> > > trying to do it. If this is true, then maybe the simplest route is to run
> > > it standalone and remove from inetd.conf. Anyone?
> > >
> > > On Mon, 13 Mar 2000, Gordon Messmer wrote:
> > >
> > > > Charles Galpin wrote:
> > > > > Mar 13 22:49:24 server inetd[10663]: auth/tcp: bind: Address already in
> > > > > use
> > > > > Mar 13 22:59:24 server inetd[10663]: auth/tcp: bind: Address already in
> > > > > use
> > > > >
> > > > > I have named setup to run at boot time in ntsysv.
> > > >
> > > > hehehe... The "bind" in the syslog is referring to the bind() system
> > > > call, not the BIND software :)
> > > >
> > > > You're getting the error because you're trying to run identd (auth
> > > > service) as a standalone daemon _AND_ through inetd. Turn one of them
> > > > off.
>
> --
> pgp = Pretty Good Privacy. To get my public pgp key, send an e-mail to:
> [EMAIL PROTECTED]
>
> Visit my web site at http://www.schaffter.com
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
